Hash functions from superspecial genus-2 curves using Richelot - PowerPoint PPT Presentation

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019

Background 2006: hash functions based on supersingular elliptic curves (Charles, Goren, Lauter) 2011: key exchange protocol based on supersingular elliptic curves called SIDH (Jao, De Feo)

Background 2006: hash functions based on supersingular elliptic curves (Charles, Goren, Lauter) 2011: key exchange protocol based on supersingular elliptic curves called SIDH (Jao, De Feo) 2018: hash function based on supersingular genus-2 curves (Takashima) 2019: collisions in genus-2 hash, create genus-2 SIDH (Flynn, Ti) 2019: we fix collisions and smooth out a bunch of technicalities

Hash functions from expander graph Input: 110 A F E B J G I H D C

Hash functions from expander graph Input: 110 A 0 1 F E B J G I H D C

Hash functions from expander graph Input: 110 A F E B J G 0 1 I H D C

Hash functions from expander graph Input: 110 A F E B J G I H 0 D C 1

Hash functions from expander graph Input: 110; Output: H A F E B J G I H D C

Supersingular ℓ -isogeny graph over F p 2 Construct the graph G ( p , ℓ ) as follows: Vertices: all supersingular elliptic curves over F p 2 up to ∼ = Edges: all ℓ -isogenies between them

Supersingular ℓ -isogeny graph over F p 2 Construct the graph G ( p , ℓ ) as follows: Vertices: all supersingular elliptic curves over F p 2 up to ∼ = Edges: all ℓ -isogenies between them Some properties: Amount of vertices ∼ p / 12 Good expander graph Every node has ℓ + 1 edges

= F 277 [ x ] / ( x 2 + 274 x + 5) G (277 , 2) with F 277 2 ∼ = F 277 ( a ) ∼ 235a+65 22a+60 236a+184 85a+33 244 269a+53 192a+11 271a+172 46a+100 41a+61 8a+29 6a+154 194a+39 231a+238 42a+216 60a+101 240a+27 61 195 217a+4 83a+67 255a+126 37a+193

Security Problem Given two supersingular elliptic curves E and E ′ defined over F p 2 , find an ℓ k -isogeny between them.

Security Problem Given two supersingular elliptic curves E and E ′ defined over F p 2 , find an ℓ k -isogeny between them. Problem Given any supersingular elliptic curve E defined over F p 2 , find a curve E ′ and two distinct isogenies of degree ℓ k and ℓ k ′ between them.

General idea 2-isogenies between supersingular elliptic curves ↓ (2,2)-isogenies between principally polarized superspecial abelian surfaces

Elliptic curves Definition An elliptic curve , say E , over a field K of odd characteristic, is an algebraic curve defined by an equation of the form E : y 2 = f ( x ) , where f ( x ) is a squarefree polynomial in K [ x ] of degree 3 or 4.

Genus two curves Definition A hyperelliptic curve of genus two , say C , over a field K of odd characteristic, is an algebraic curve defined by an equation of the form C : y 2 = f ( x ) , where f ( x ) is a squarefree polynomial in K [ x ] of degree 5 or 6.

Elliptic curves group law P P+Q -(P+Q) Q

Genus two curves group law Q ? ? ? P

Genus two curves group law P 1 P 2

Genus two curves group law Q 2 P 1 Q 1 P 2

Genus two curves group law Q 2 P 1 Q 1 P 2

Genus two curves group law Q 2 -R 2 P 1 Q 1 -R 1 P 2

Genus two curves group law Q 2 -R 2 R 1 P 1 Q 1 -R 1 P 2 R 2

Abelian surfaces Definition An abelian surface is a two-dimensional projective algebraic variety that is also an algebraic group. Always isomorphic to one of the following: jacobian of a (hyperelliptic) genus-2 curve product of two elliptic curves

Principal polarization Definition A principal polarization is an isomorphism λ from an abelian variety A to its dual, which is of the form λ L : A (¯ k ) → Pic( A ) t ∗ a L ⊗ L − 1 , �→ a for some ample sheaf L on A (¯ k ).

Principal polarization Definition A principal polarization is an isomorphism λ from an abelian variety A to its dual, which is of the form ✘ ✘✘✘✘ ✘ ✘✘✘ λ L : A (¯ ✟ ✟ k ) → Pic ( A ) ✘ ✘✘✘✘✘ ✟ t ∗ a L ⊗ L − 1 , ✟ �→ ✁ a for some ample sheaf L on A (¯ k ). Read: we have equations! y 2 = a 6 x 6 + a 5 x 5 + a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0 ( y 2 = x 3 + b 1 x + b 0 ) × ( y 2 = x 3 + c 1 x + c 0 )

Supersingular elliptic curves E is supersingular iff the p -torsion of E is trivial,

Supersingular elliptic curves E is supersingular iff the p -torsion of E is trivial, or End( E ) is an order in a quaternion algebra,

Supersingular elliptic curves E is supersingular iff the p -torsion of E is trivial, or End( E ) is an order in a quaternion algebra, or the trace of Frobenius is divisible by p ,

Supersingular elliptic curves E is supersingular iff the p -torsion of E is trivial, or End( E ) is an order in a quaternion algebra, or the trace of Frobenius is divisible by p , or the Newton polygon is a straight line segment with slope 1/2,

Supersingular elliptic curves E is supersingular iff the p -torsion of E is trivial, or End( E ) is an order in a quaternion algebra, or the trace of Frobenius is divisible by p , or the Newton polygon is a straight line segment with slope 1/2, or the dual of Frobenius is purely inseparable,

Supersingular elliptic curves E is supersingular iff the p -torsion of E is trivial, or End( E ) is an order in a quaternion algebra, or the trace of Frobenius is divisible by p , or the Newton polygon is a straight line segment with slope 1/2, or the dual of Frobenius is purely inseparable, or the Hasse invariant is 0, . . .

Superspecial genus two curves Definition A p.p. abelian surface defined over a field with characteristic p is superspecial if the Hasse invariant is zero. Why? Finite amount ∼ p 3 / 2880 All defined over F p 2

Superspecial abelian surfaces over F 13 2 J C 2 J C 1 J C 3 E × E

Superspecial abelian surfaces over F 13 2 J C 2 J C 1 J C 3 { 5 , 5 }

Superspecial abelian surfaces over F 13 2 (7 , 2 , 2) (2 , 6 , 5) (4 , 9 , 6) { 5 , 5 }

(2 , 2)-isogenies Definition A (2 , 2) -isogeny φ is an isogeny such that ker φ ∼ = Z / 2 Z ⊕ Z / 2 Z and ker φ is maximal isotropic with regards to the 2-Weil pairing. Remark: there are 15 of these (2 , 2)-isogenies for every A , and at least 9 are to the same type of abelian surface, so J C → J C ′ or E 1 × E 2 → E ′ 1 × E ′ 2

Superspecial p.p. abelian surface (2 , 2)-isogeny graph over F 13 2 5 (7 , 2 , 2) 1 4 4 6 5 9 (2 , 6 , 5) 3 2 (4 , 9 , 6) 1 2 6 2 { 5 , 5 } 10

Superspecial p.p. abelian surface (2 , 2)-isogeny graph over F p 2 Isogeny graph G p : Vertices: all p.p. superspecial abelian surfaces over F p 2 up to isomorphism genus-2 curves: absolute Igusa invariants ( j 1 , j 2 , j 3 ) ∈ F 3 p 2 products of elliptic curves: j -invariants { j 1 , j 2 } ⊂ F p 2 Edges: all (2 , 2)-isogenies between them

Superspecial p.p. abelian surface (2 , 2)-isogeny graph over F p 2 Isogeny graph G p : Vertices: all p.p. superspecial abelian surfaces over F p 2 up to isomorphism genus-2 curves: absolute Igusa invariants ( j 1 , j 2 , j 3 ) ∈ F 3 p 2 products of elliptic curves: j -invariants { j 1 , j 2 } ⊂ F p 2 Edges: all (2 , 2)-isogenies between them Intuitively: Interior of G p : ∼ p 3 / 2880 genus-2 curves Boundary of G p : ∼ p 2 / 288 products of elliptic curves

Restrict to jacobians of genus-2 curves Ignore products of elliptic curves: O (1 / p ) chance of encountering formulas are less efficient what would output be? { j 1 , j 2 } vs ( j 1 , j 2 , j 3 )

Richelot isogenies C 0 : y 2 = ( x − α 1 )( x − α 2 ) ( x − α 3 )( x − α 4 ) ( x − α 5 )( x − α 6 ) � �� � � �� � � �� � G 1 G 2 G 3

Richelot isogenies C 0 : y 2 = ( x − α 1 )( x − α 2 ) ( x − α 3 )( x − α 4 ) ( x − α 5 )( x − α 6 ) � �� � � �� � � �� � G 1 G 2 G 3 Take φ 1 : J C 0 → J C 1 the (2 , 2)-isogeny with kernel { 0 , [( α 1 , 0) − ( α 2 , 0)] , [( α 3 , 0) − ( α 4 , 0)] , [( α 5 , 0) − ( α 6 , 0)] }

Richelot isogenies C 0 : y 2 = ( x − α 1 )( x − α 2 ) ( x − α 3 )( x − α 4 ) ( x − α 5 )( x − α 6 ) � �� � � �� � � �� � G 1 G 2 G 3 Take φ 1 : J C 0 → J C 1 the (2 , 2)-isogeny with kernel { 0 , [( α 1 , 0) − ( α 2 , 0)] , [( α 3 , 0) − ( α 4 , 0)] , [( α 5 , 0) − ( α 6 , 0)] } � C 1 : y 2 = δ − 1 ( G ′ 2 G 3 − G 2 G ′ ( G ′ 3 G 1 − G 3 G ′ ( G ′ 1 G 2 − G 1 G ′ 3 ) 1 ) 2 ) � �� � � �� � � �� � H 1 H 2 H 3

Avoiding dual isogeny Continuing with y 2 = H 1 H 2 H 3 gives the dual isogeny ˆ φ 1 and the composition is a (2 , 2 , 2 , 2)-isogeny: φ 1 A 0 A 1 ˆ φ 1

Avoiding small cycles Continuing with one factor fixed, e.g. y 2 = H 1 ˜ H 2 ˜ H 3 , gives a (2 , 2)-isogeny φ 2 , with a composed (4 , 2 , 2)-isogeny: A ′ 1 φ 1 φ 2 A 0 A 1 A 2 A ′′ 1

Avoiding small cycles Continuing with one factor fixed, e.g. y 2 = H 1 ˜ H 2 ˜ H 3 , gives a (2 , 2)-isogeny φ 2 , with a composed (4 , 2 , 2)-isogeny: A ′ 1 φ ′ φ ′ 1 2 φ 1 φ 2 A 0 A 1 A 2 φ ′′ φ ′′ 1 2 A ′′ 1